b'             EVALUATION REPORT\n\n\n    Information Security Risk Evaluation of Region III \xe2\x80\x93 Lisle, IL\n\n\n\n              OIG-12-A-22          September 26, 2012\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                 UNITED STATES\n                         NUCLEAR REGULATORY COMMISSION\n                                  WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                           September 26, 2012\n\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    INFORMATION SECURITY RISK EVALUATION OF\n                            REGION III \xe2\x80\x93 LISLE, IL (OIG-12-A-22)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) evaluation report titled,\nInformation Security Risk Evaluation of Region III - Lisle, IL.\n\nThe report presents the results of the subject evaluation. The agency agreed with the\nevaluation findings at the August 10, 2012, exit conference, and provided comments on\nSeptember 25, 2012, which were incorporated, as appropriate, into this report.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG followup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Team,\nat 415-5913.\n\nAttachment: As stated\n\x0c                         Information Security Risk Evaluation of\n                                   Region III \xe2\x80\x93 Lisle, IL\n\n\n\n\n                               Contract Number: GS-00F-0001N\n                               NRC Order Number: D12PD01191\n\n                                                September 25, 2012\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                      Region III \xe2\x80\x93 Lisle, IL\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      The U.S. Nuclear Regulatory Commission (NRC) Office of the Inspector General tasked\n      Richard S. Carson & Associates, Inc., to perform an information security risk evaluation\n      of NRC\xe2\x80\x99s regional offices and the Technical Training Center. This report presents the\n      results of the information security risk evaluation for the Region III office, which is\n      located in Lisle, Illinois.\n\nOBJECTIVES\n\n      The Region III information security risk evaluation objectives were to:\n\n             Perform an independent information security risk evaluation of the NRC\n             information technology (IT) security program, policies, and practices for\n             compliance with the Federal Information Security Management Act (FISMA) of\n             2002 in accordance with Office of Management and Budget guidance and Federal\n             regulations and guidelines as implemented at Region III.\n             Evaluate the effectiveness of agency security control techniques as implemented\n             at Region III.\n\nRESULTS IN BRIEF\n\n      Region III has made improvements in its implementation of NRC\xe2\x80\x99s IT security program\n      and practices for NRC IT systems since the previous evaluations in 2003, 2006, and\n      2009. All corrective actions from the previous evaluations have been implemented.\n      However, the Region III IT security program and practices are not always consistent with\n      NRC\xe2\x80\x99s IT security program, as summarized below.\n\n      Continuity of Operations and Recovery\n\n      Server administration procedures, including backup procedures are not maintained and\n      kept up-to-date as required.\n\n      IT Security Program\n\n      Regional procedures and divisional instructions specific to the Region III IT security\n      program are not kept up-to-date. As a result, steps or processes could be skipped or\n      forgotten if personnel responsible for a particular activity are unavailable. In addition,\n      outdated procedures make it more difficult when training new personnel to handle a\n      specific activity.\n\n\n\n\n                                                i\n\x0c                                                            Information Security Risk Evaluation of\n                                                                               Region III \xe2\x80\x93 Lisle, IL\n\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s IT security program and implementation of FISMA at Region III. A consolidated\n     list of recommendations appears on pages 11 of this report.\n\n\n\n\n                                           ii\n\x0c                                                       Information Security Risk Evaluation of\n                                                                          Region III \xe2\x80\x93 Lisle, IL\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nATO          Authority to Operate\nCSO-STD      Computer Security Office Standard\nFISMA        Federal Information Security Management Act\nISSO         Information Systems Security Officer\nIT           Information Technology\nLAN          Local Area Network\nMD           Management Directive\nNIST         National Institute of Standards and Technology\nNRC          Nuclear Regulatory Commission\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nRP           Regional Procedure\nSGI          Safeguards Information\nSP           Special Publication\n\n\n\n\n                                     iii\n\x0c                                  Information Security Risk Evaluation of\n                                                     Region III \xe2\x80\x93 Lisle, IL\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                        Information Security Risk Evaluation of\n                                                                                                           Region III \xe2\x80\x93 Lisle, IL\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ..................................................................................... iii\n\n1 Background .............................................................................................................. 1\n2 Objectives ................................................................................................................. 2\n3 Findings .................................................................................................................... 2\n  3.1 Continuity of Operations and Recovery ........................................................ 3\n            3.1.1 Region III Servers ........................................................................................... 3\n            FINDING #1: Server Administration Procedures Are Not Up-to-Date ....................................... 3\n            3.1.2 Server Administration Requirements............................................................ 3\n            3.1.3 Agency Has Not Fully Met Requirements ..................................................... 4\n            3.1.4 Impact on Region III Operations .................................................................... 5\n    3.2     Information Technology Security Program ................................................... 5\n            3.2.1 Region III Laptop Systems ............................................................................. 5\n            FINDING #2: Some Laptops Do Not Have a Current Authority To Operate ............................. 5\n            3.2.2 Laptop System Requirements ....................................................................... 6\n            3.2.3 Agency Has Not Fully Met Requirements ..................................................... 6\n            3.2.4 Regional Procedures and Instructions ......................................................... 7\n            FINDING #3: Regional IT Security Program Procedures Are Not Kept Up-to-Date ................. 7\n            3.2.5 Requirements for Updating Procedures ....................................................... 8\n            3.2.6 Agency Has Not Fully Met Requirements ..................................................... 8\n            3.2.7 Impact on Region III Operations .................................................................... 9\n4 Consolidated List of Recommendations ............................................................. 11\n\nAppendix.               OBJECTIVES, SCOPE, AND METHODOLOGY ......................................... 13\n\n\n\n\n                                                               v\n\x0c                                  Information Security Risk Evaluation of\n                                                     Region III \xe2\x80\x93 Lisle, IL\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                               Information Security Risk Evaluation of\n                                                                                                  Region III \xe2\x80\x93 Lisle, IL\n\n\n1       Background\n\nThe U.S. Nuclear Regulatory Commission (NRC) has four regional offices that conduct\ninspection, enforcement, investigation, licensing, and emergency response programs for nuclear\nreactors, fuel facilities, and materials licensees. The regional offices are the agency\xe2\x80\x99s front line\nin carrying out its mission and implementing established agency policies and programs\nnationwide. The Region III office oversees regulatory activities in the northern midwestern\nUnited States; is located in Lisle, Illinois; and operates under the direction of a Regional\nAdministrator. The region covers a seven-State area, including six States with nuclear power\nplants. Region III also oversees materials licensees in Missouri, which is located in Region IV.\n\nOffice of Management and Budget (OMB) Circular A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources, requires\nagencies to implement and maintain an information technology (IT) security program, including\nthe preparation of policies, standards, and procedures. An effective IT security program is an\nimportant managerial responsibility. Management establishes a positive climate by making\ncomputer security a part of the information resources management process and providing support\nfor a viable IT security program.\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002. 1 FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program2 and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. The evaluation also must include an assessment of compliance with FISMA\nrequirements and related information security policies, procedures, standards, and guidelines.\nFISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) or an independent external auditor.3\n\nNRC maintains an IT security program to provide appropriate protection of information\nresources. In this regard, the role of the NRC OIG is to provide oversight of agency programs,\nincluding the IT security program in support of the NRC goal to ensure the safe use of\nradioactive materials for beneficial civilian purposes while protecting people and the\nenvironment.\n\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  NRC uses the term \xe2\x80\x9cinformation security program\xe2\x80\x9d to describe its program for ensuring that various types of\n  sensitive information are handled appropriately and are protected from unauthorized disclosure in accordance with\n  pertinent laws, Executive orders, management directives, and applicable directives of other Federal agencies and\n  organizations. For the purposes of FISMA, the agency uses the term IT security program.\n3\n  While FISMA uses the language \xe2\x80\x9cindependent external auditor,\xe2\x80\x9d OMB Memorandum M-04-25, FY 2004\n  Reporting Instructions for the Federal Information Security Management Act, clarified this requirement by stating,\n  \xe2\x80\x9cWithin the context of FISMA, an audit is not contemplated. By requiring an evaluation but not an audit, FISMA\n  intended to provide Inspectors General some flexibility\xe2\x80\xa6\xe2\x80\x9d\n\n\n                                                         1\n\x0c                                                                    Information Security Risk Evaluation of\n                                                                                       Region III \xe2\x80\x93 Lisle, IL\n\n\nIn support of its FISMA obligations, the NRC OIG tasked Richard S. Carson & Associates, Inc.,\nto perform an information security risk evaluation of NRC\xe2\x80\x99s regional offices and the Technical\nTraining Center to evaluate IT security programs in place at those locations, to include an\nassessment of potential physical security weaknesses, and to identify existing problems and\nmake recommendations for corrective actions.\n\nThe information security risk evaluation focused on the following elements of NRC\xe2\x80\x99s IT security\nprogram, policies, and practices:\n\n       Physical and Environmental Security Controls.\n       Logical Access Controls.\n       Configuration Management.\n       Continuity of Operations and Recovery.\n       IT Security Program.\n\nThis report presents the results of the information security risk evaluation for Region III. A\nconsolidated list of recommendations appears on page 11.\n\n2      Objectives\n\nThe Region III information security risk evaluation objectives were to:\n\n       Perform an independent information security risk evaluation of the NRC IT security\n       program, policies, and practices for compliance with FISMA in accordance with OMB\n       guidance and Federal regulations and guidelines as implemented at Region III.\n       Evaluate the effectiveness of agency security control techniques as implemented at\n       Region III.\n\nThe report appendix contains a description of the evaluation objectives, scope, and methodology.\n\n3      Findings\n\nRegion III has made improvements in its implementation of NRC\xe2\x80\x99s IT security program and\npractices for NRC IT systems since the previous evaluations in 2003, 2006, and 2009. All\ncorrective actions from the previous evaluations have been implemented. However, the Region\nIII IT security program and practices are not always consistent with NRC\xe2\x80\x99s IT security program\nas defined in Management Directive (MD) and Handbook 12.5, NRC Automated Information\nSystems Security Program; other NRC policies; FISMA; and National Institute of Standards and\nTechnology (NIST) guidance. While many of the Region III automated and manual IT security\ncontrols are generally effective, some IT security controls need improvement. Specifics on\ncontinuity of operations and recovery and the Region III IT security program are described in the\nfollowing sections.\n\n\n\n\n                                                 2\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                      Region III \xe2\x80\x93 Lisle, IL\n\n\n3.1    Continuity of Operations and Recovery\n\nRegion III procedures for maintaining continuity of operations and recovery are generally\nconsistent with the requirements in MD and Handbook 12.1, NRC Facility Security Program;\nMD and Handbook 12.5; and NIST Special Publication (SP) 800-53, Recommended Security\nControls for Federal Information Systems. Region III has documented server administration\nprocedures, including procedures for backups of seat-managed and NRC-managed servers.\nRegion III has also developed a site-specific Occupant Emergency Plan and a contingency plan\nfor the Region III Private Branch Exchange.\n\nHowever, the evaluation team found that server administration procedures, including backup\nprocedures, are not maintained and kept up-to-date as required.\n\n3.1.1 Region III Servers\n\nRegion III is supported by IT equipment that is both seat-managed and NRC-managed. Core\nregional servers are provided and managed by the seat management contractor and include\ndomain controllers, mail servers, multipurpose servers, a tape server, and virtual servers. Seat-\nmanaged servers are included in the authorization boundary of the IT Infrastructure system.\nAdditional regional servers are owned and managed by Region III and include a database server\nand knowledge management servers. NRC-managed servers at Region III are included in the\nauthorization boundary of the Region III Site System.\n\nFINDING #1: Server Administration Procedures Are Not Up-to-Date\n\nMD and Handbook 12.5, NRC standards, and NIST SP 800-53 detail requirements for certain\naspects of server administration, including backups of IT systems. However, Region III has not\nmet all the requirements. Specifically, server administration procedures, including backup\nprocedures, are not maintained and kept up-to-date as required.\n\n3.1.2 Server Administration Requirements\n\nMD and Handbook 12.5 detail requirements for backups of IT systems, and states that these\nprocedures should be implemented when backing up media to ensure that reliable backups are\navailable if there is a need for system or file recovery. These procedures include, but are not\nlimited to:\n\n       Backup schedule \xe2\x80\x93 outlines the type of backup, the interval for each backup, the storage\n       location, and the number of copies of each backup.\n       Full backups \xe2\x80\x93 performed at least weekly.\n       Incremental (differential) backups \xe2\x80\x93 performed nightly.\n       Location of backups \xe2\x80\x93 at least two full backups maintained. One should remain onsite\n       and a second copy should be removed to an offsite storage facility immediately after its\n       creation.\n\n\n\n\n                                                3\n\x0c                                                                                  Information Security Risk Evaluation of\n                                                                                                     Region III \xe2\x80\x93 Lisle, IL\n\n\n           Backup media \xe2\x80\x93 use high-quality media to ensure good quality backups are available for\n           recovery should the need arise.\n           Storage of backups \xe2\x80\x93 store both onsite and offsite backups in a location, cabinet, or safe\n           that is waterproof and fireproof for at least 14 days or as recommended by the agency.\n           Testing of storage \xe2\x80\x93 backups are periodically tested to ensure they can be used effectively\n           to restore sensitive information.\n\nComputer Security Office Standard (CSO-STD) 2002, System Back-up Standard, V1.1, dated\nDecember 15, 2010, states backup and recovery procedures are to be developed, documented,\napproved, maintained, and used for all systems operated by or on behalf of NRC.\n\nCSO-STD-2001, Operating Procedures Standard, V1.1, dated April 15, 2011, states that\ndocumented and periodically reviewed operational procedures and responsibilities capture the\nrequirements for secure operation of information systems and effective management and support\nof IT systems. This standard requires system owners to ensure operating procedures are\nreviewed and approved on a periodic basis, at least annually.\n\n3.1.3 Agency Has Not Fully Met Requirements\n\nRegion III has developed server administration procedures, including backup procedures, for\nboth seat-managed servers and NRC-managed servers. These procedures are documented in DI-\nNR-008, Server Administration, dated September 10, 2010. The seat-management contractor is\nresponsible for performing backups of both seat-managed and NRC-managed serves. While\nRegion III has developed and documented required backup procedures, the procedures do not\nreflect the server infrastructure currently in place in Region III. For example, DI-NR-008\nincludes a list of seat-managed and NRC-managed servers covered by the document; however,\nthis list includes several servers that have been decommissioned and does not include several\nnew servers. In addition, DI-NR-008 states that all servers listed Section C of the document are\nincluded in the backup procedures when, in fact, they are not. The Region III seat-management\ncontractor is not responsible for performing backups of the Citrix servers located in Region III.\nIn addition, the seat-management contractor is frequently asked by headquarters to create a\nGhost4 image of a server that headquarters needs to patch (e.g., Citrix server, badge access\nsystem server). This process is currently ad hoc and there is no set schedule. In addition,\nprocedures for creating Ghost images, including where those images are stored, are not\ndocumented.\n\nIn addition to outdated backup procedures, DI-NR-008 also includes references to the previous\nseat-management contractor. The seat-management contract was transitioned to the current\ncontractor in December 2011. This document also includes a section describing role-based\naccess to Region III servers; however, this section is not up-to-date and does not reflect the\ncurrent server infrastructure in place in Region III.\n\n\n\n4\n    Ghost (general hardware-oriented system transfer) is a software product that creates full system (disk image)\n    backups.\n\n\n                                                            4\n\x0c                                                                    Information Security Risk Evaluation of\n                                                                                       Region III \xe2\x80\x93 Lisle, IL\n\n\n3.1.4 Impact on Region III Operations\n\nWhile the server administration procedures that are currently implemented would ensure server\navailability during core hours and minimize data loss in the event of a computer failure, the\nprocedures are not up-to-date. For example, software performs many of the backups\nautomatically, but someone must ensure the backup jobs include all required servers and run\nwithout errors. The procedures need to be current so that if the primary personnel responsible\nfor server administration are not available, alternates have the information necessary to follow\nthe procedures. Current procedures can also be useful when training new employees with\nresponsibilities for server administration.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      1. Update DI-NR-008, Server Administration, to (i) reflect the current Region III server\n         infrastructure; (ii) document current backup procedures for seat-managed and NRC-\n         managed servers; (iii) document procedures for creating Ghost images, including where\n         those images are stored; (iv) define the schedule for creating Ghost images; (v) correct\n         references to the current seat-management contractor; and (vi) correct any other sections\n         impacted by the changes to the server infrastructure or the transition to the new seat-\n         management contractor.\n\n3.2      Information Technology Security Program\n\nOverall, Region III is following agency security policies and procedures regarding IT security.\nRegion III has developed regional procedures and divisional instructions that are generally up-to-\ndate and are available on the Region III internal Web site. Staff receive training regarding IT\nsecurity during the onboarding process and the Information Systems Security Officer (ISSO)\nsends periodic cybersecurity reminders on topics. Users are generally aware of and are\nfollowing agency and Region III IT security policies and procedures.\n\nHowever, the evaluation team found issues with the Region III laptop systems and with keeping\nRegion III IT security program procedures up-to-date.\n\n3.2.1 Region III Laptop Systems\n\nLaptops in use at Region III are either seat-managed laptops or NRC-owned laptops. Seat-\nmanaged laptops in use at Region III include those laptops that are part of the agency\xe2\x80\x99s new work\nfrom anywhere/mobile desktop program. NRC-owned laptops in use at Region III include loaner\nlaptops and laptops used to process safeguards information (SGI) or classified information.\n\nFINDING #2: Some Laptops Do Not Have a Current Authority To Operate\n\nThe NRC Laptop Security Policy, which specifies the requirements for authorization of laptop\nsystems, states that all NRC laptops must be either designated a system or included as part of an\nexisting system. NRC-owned laptops in use at Region III include loaner laptops and laptops\n\n\n                                                  5\n\x0c                                                                    Information Security Risk Evaluation of\n                                                                                       Region III \xe2\x80\x93 Lisle, IL\n\n\nused to process SGI or classified information. However, the evaluation team found that some\nNRC-owned laptops do not have a current authority to operate (ATO). As a result, Region III is\nnot fully compliant with NRC requirements for laptop systems.\n\n3.2.2 Laptop System Requirements\n\nThe NRC Laptop Security Policy states that all NRC laptops must either be designated a system\nor be included as part of an existing system. All laptops that are not seat-managed are\nconsidered to be organization-managed, i.e., NRC-owned. All NRC-owned laptops that process\nor access classified national security information belong to that office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified\nLaptop System.\xe2\x80\x9d All NRC-owned laptops that process or access SGI and are not part of the\noffice\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d belong to that entity\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System.\xe2\x80\x9d\nAll NRC-owned laptops that are not part of the office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cClassified Laptop System\xe2\x80\x9d\nor the office\xe2\x80\x99s or region\xe2\x80\x99s \xe2\x80\x9cSGI Laptop System\xe2\x80\x9d belong to that entity\xe2\x80\x99s \xe2\x80\x9cGeneral Laptop\nSystem.\xe2\x80\x9d\n\nThe NRC Laptop Security Policy also specifies the following requirements for authorization\n(formerly referred to as accreditation):\n\n       Laptop systems must meet the requirements provided in the relevant standard security\n       plan. There is a different standard security plan for classified, SGI, and general laptops.\n       Laptop systems must be certified by the system owner as compliant with the relevant\n       laptop system requirements.\n       Laptop systems must be accredited by the appropriate Designated Approving Authority\n       prior to processing any relevant (i.e., classified, SGI, sensitive unclassified) information\n       on the system.\n       Certification of a laptop system requires a system certification memorandum from the\n       laptop system owner. The memorandum must include an enclosure that provides the\n       names and contact information for the: System Owner, Certification Agent, ISSO,\n       Alternate ISSO, and System Administrator.\n       For each laptop or removable hard drive that is part of the laptop system, the enclosure\n       must provide information such as physical storage location, location where system is\n       used, brand, model, tag number, peripherals, etc.\n\n3.2.3 Agency Has Not Fully Met Requirements\n\nRegion III currently has one laptop system \xe2\x80\x93 a general laptop system with a current ATO that\ncovers the Region III loaner laptops. Region III also has three SGI laptops still on the NRC\ninventory of systems. During the site visit to Region III, the evaluation team was unable to\ndetermine whether the three SGI laptops were still in use and therefore should be covered under\na Region III SGI laptop system with a current ATO. Subsequent to the site visit, Region III\ninformed the evaluation team the three SGI laptops are no longer in use and are in the process of\nbeing decommissioned. Therefore, there is no need for Region III to establish a Region III SGI\nlaptop system to cover these three laptops.\n\n\n\n\n                                                 6\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                      Region III \xe2\x80\x93 Lisle, IL\n\n\n3.2.4 Regional Procedures and Instructions\n\nRegion III uses various types of procedures to inform the staff of standardized regional practices,\ndivision-level directives related to policy and operational matters, and general information,\nincluding policies, practices, and guidance specific to the Region III IT security program. These\nprocedures include regional procedures, regional notices, and division instructions. Regional\nprocedures are policies, practices, or guidance affecting more than one division or programmatic\narea within the regional office or programs in more than one strategic arena. They are intended\nto be of a permanent or long-term nature and remain in effect until they are revised or cancelled.\nRegional notices are intended to keep the staff informed, but do not establish comprehensive\npolicy for the staff to follow. All notices contain an expiration date. Division instructions are\npolicies, practices, or guidance affecting one division or programmatic area and are used to\ndisseminate detailed guidance at the division level for implementing procedures or other agency\npolicy.\n\nThe following are some examples of regional procedures and divisional instructions specific to\nthe Region III IT security program:\n\n       RP-12.1, Region III Facility Security Program, dated October 8, 2010 \xe2\x80\x93 describes the\n       policies, controls, and employee responsibilities for the protection of Region III\n       personnel, property, and unclassified facilities.\n       DI-12.1, Region III Security System Testing Process, dated January 4, 2012 \xe2\x80\x93 provides\n       guidance and instructions related to the processes necessary for Region III to perform\n       NRC-required security system tests.\n       DI-12.1, Badging Procedures, dated April 27, 2012 \xe2\x80\x93 provides details and procedures for\n       enrolling, obtaining, activating, distributing, and monitoring security badges in NRC\n       Region III office space.\n       DI-NR-006, Region III Switchboard Operations, dated October 20, 2010 \xe2\x80\x93 a procedure\n       and handbook that establishes and provides guidance for contractors and NRC personnel\n       responsible for day-to-day operations of the Region III switchboard and reception area.\n       DI-NR-008, Server Administration, dated September 10, 2010 \xe2\x80\x93 provides a standardized\n       mode of operation to support the network servers used in Region III.\n\nFINDING #3: Regional IT Security Program Procedures Are Not Kept Up-to-Date\n\nNRC has developed several security standards that specify the frequency of reviewing and\nupdating IT security program procedures. However, as discussed in finding 1 and further\ndescribed in the following sections, regional procedures and divisional instructions specific to\nthe Region III IT security program are not kept up-to-date. As a result, steps or processes could\nbe skipped or forgotten if personnel responsible for a particular activity are unavailable. In\naddition, outdated procedures make it more difficult when training new personnel to handle a\nspecific activity.\n\n\n\n\n                                                 7\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                      Region III \xe2\x80\x93 Lisle, IL\n\n\n3.2.5 Requirements for Updating Procedures\n\nCSO-STD-0020, Organization Defined Values for System Security Controls, Revision 1.1, dated\nJuly 1, 2012, defines the mandatory values for specific controls in the 18 security controls\nfamilies described in NIST SP 800-53. The standard requires that documented procedures to\nfacilitate the implementation of a control should be reviewed and updated annually. The\nstandard also requires system owners to review system security plans at least annually and\nupdate them to address changes to the information system and/or environment of operation.\nCSO-STD-2001 states that documented and periodically reviewed operational procedures and\nresponsibilities capture the requirements for secure operation of information systems and\neffective management and support of IT systems. This standard requires system owners to\nensure operating procedures are reviewed and approved on a periodic basis, at least annually.\n\nRegional Procedure (RP) 3.57, System of Procedures, Notices, and Division Instructions, dated\nOctober 15, 2009, controls activities associated with the development, revision, and cancellation\nof regional procedures, regional notices, and division instructions in sufficient detail to ensure\nprocessing standardization. RP-3.57 requires procedures and instructions to be reviewed or\nrevised, at a minimum, every 3 years.\n\n3.2.6 Agency Has Not Fully Met Requirements\n\nRegion III has developed several regional procedures and divisional instructions specific to the\nRegion III IT security program. However, as discussed in finding 1, the evaluation team found\nthat DI-NR-008 is not up-to-date. In addition, the evaluation team found that the following\nregional procedures and divisional instructions are also not up-to-date:\n\n       RP-12.1, Region III Facility Security Program \xe2\x80\x93 Section F.4.h describes the requirement\n       to review access permissions to the Region III server room and local area network (LAN)\n       closets (that are equipped with card readers) on a semiannual basis. However, this\n       process is now performed quarterly as part of the testing of the Region III security\n       system. In addition, sections F.4.c and F.4.f of this document describe the old color-\n       coded NRC identification badges.\n       DI-12.1, Region III Security System Testing Process \xe2\x80\x93 as of June 2012, the quarterly\n       security system test also includes a review of access permissions to the Region III server\n       room and LAN closets (that are equipped with card readers). This document does not\n       describe the process for performing that review.\n       DI-NR-006, Region III Switchboard Operations \xe2\x80\x93 section IV.B.3 of the handbook\n       describes the old color-coded NRC identification badges. Some of the functions\n       described in this document are now performed by the protective security officer (e.g.,\n       performing an audit of all temporary badges); however, this document assigns those\n       duties to the receptionist.\n\nRP-3.57 requires procedures and instructions to be reviewed or revised, at a minimum, every 3\nyears. However, per NRC security standards, some procedures require more frequent review and\nupdate \xe2\x80\x93 at least annually for documented procedures to facilitate the implementation of security\ncontrols in the 18 security controls families described in NIST SP 800-53 and for operational\n\n\n                                                 8\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                      Region III \xe2\x80\x93 Lisle, IL\n\n\nprocedures that capture the requirements for secure operation of information systems and for\neffective management and support of IT systems.\n\n3.2.7 Impact on Region III Operations\n\nOutdated procedures can result in steps or processes being skipped or forgotten if personnel\nresponsible for a particular activity are unavailable. In addition, outdated procedures make it\nmore difficult when training new personnel to handle a specific activity. Current procedures\nensure continuity in performing a specific IT security function in the event of staff turnover and\nare excellent for training new personnel and an excellent reference for existing personnel.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   2. Update RP-12.1, Region III Facility Security Program, to describe the current\n      requirement to review access permissions to the Region III server room and LAN closets\n      (that are equipped with card readers) on a quarterly basis and to reflect the current NRC\n      employee badge characteristics.\n   3. Update DI-12.1, Region III Security System Testing Process, to describe the current\n      requirement to review access permissions to the Region III server room and LAN closets\n      (that are equipped with card readers) on a quarterly basis.\n   4. Update DI-NR-006, Region III Switchboard Operations, to reflect the current NRC\n      employee badge characteristics and to describe functions now performed by the\n      protective security officer instead of the receptionist.\n   5. Update RP-3.57, System of Procedures, Notices, and Division Instructions, to specify\n      which regional procedures and divisional instructions require annual review and update.\n\n\n\n\n                                                 9\n\x0c                                  Information Security Risk Evaluation of\n                                                     Region III \xe2\x80\x93 Lisle, IL\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              10\n\x0c                                                                  Information Security Risk Evaluation of\n                                                                                     Region III \xe2\x80\x93 Lisle, IL\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Update DI-NR-008, Server Administration, to (i) reflect the current Region III server\n       infrastructure; (ii) document current backup procedures for seat-managed and NRC-\n       managed servers; (iii) document procedures for creating Ghost images, including where\n       those images are stored; (iv) define the schedule for creating Ghost images; (v) correct\n       references to the current seat-management contractor; and (vi) correct any other sections\n       impacted by the changes to the server infrastructure or the transition to the new seat-\n       management contractor.\n    2. Update RP-12.1, Region III Facility Security Program, to describe the current\n       requirement to review access permissions to the Region III server room and LAN closets\n       (that are equipped with card readers) on a quarterly basis and to reflect the current NRC\n       employee badge characteristics.\n    3. Update DI-12.1, Region III Security System Testing Process, to describe the current\n       requirement to review access permissions to the Region III server room and LAN closets\n       (that are equipped with card readers) on a quarterly basis.\n    4. Update DI-NR-006, Region III Switchboard Operations, to reflect the current NRC\n       employee badge characteristics and to describe functions now performed by the\n       protective security officer instead of the receptionist.\n    5. Update RP-3.57, System of Procedures, Notices, and Division Instructions, to specify\n       which regional procedures and divisional instructions require annual review and update.\n\n\n\n\n                                               11\n\x0c                                  Information Security Risk Evaluation of\n                                                     Region III \xe2\x80\x93 Lisle, IL\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              12\n\x0c                                                                   Information Security Risk Evaluation of\n                                                                                      Region III \xe2\x80\x93 Lisle, IL\n\n\nAppendix.          OBJECTIVES, SCOPE, AND METHODOLOGY\n\nOBJECTIVES\n\nThe Region III information security risk evaluation objectives were to:\n\n        Perform an independent information security risk evaluation of the NRC IT security\n        program, policies, and practices for compliance with FISMA in accordance with OMB\n        guidance and Federal regulations and guidelines as implemented at Region III.\n        Evaluate the effectiveness of agency security control techniques as implemented at\n        Region III.\n\nSCOPE\n\nThe scope of this information security risk evaluation included:\n\n        The three floors Region III occupies at 2443 Warrenville Road, Suite 210, Lisle, Illinois\n        60532-4352.\n        Region III seat-managed equipment.\n        Region III NRC-managed equipment.\n\nThe information security risk evaluation did not include controls related to the management of\nsafeguards or classified information.\n\nThe evaluation work was conducted during a site visit to Region III in Lisle, IL, between August\n6, 2012, and August 10, 2012. Any information received from the agency subsequent to the\ncompletion of fieldwork was incorporated when possible. Throughout the evaluation, evaluators\nwere aware of the potential for fraud, waste, or misuse in the program.\n\nMETHODOLOGY\n\nRichard S. Carson & Associates, Inc., conducted a high-level, qualitative evaluation of the NRC\nIT security program, policies, and practices as implemented at Region III, and evaluated the\neffectiveness of agency security control techniques as implemented at Region III.\n\nIn conducting the information security risk evaluation, the following areas were reviewed:\nphysical and environmental security controls, logical access controls, configuration management,\nIT security program, and continuity of operations and recovery. Specifically, the evaluation\nteam conducted site surveys of the three floors Region III occupies at 2443 Warrenville Road,\nSuite 210, Lisle, Illinois 60532-4352, focusing on the areas that house IT equipment. The team\nconducted interviews with the Region III ISSO, the seat-management server administrator, the\nRegion III server administrator, and other Region III staff members responsible for\nimplementing the agency\xe2\x80\x99s IT security program at Region III. The evaluation team also\nconducted user interviews with 14 Region III employees, including two Resident Inspectors and\none teleworker. The team reviewed documentation provided by Region III including floor plans,\n\n\n\n                                                13\n\x0c                                                                 Information Security Risk Evaluation of\n                                                                                    Region III \xe2\x80\x93 Lisle, IL\n\n\ninventories of hardware and software, local policies and procedures, security plans, backup\nprocedures, contingency plans, and the Occupancy Emergency Plan. The information security\nrisk evaluation also included a network vulnerability assessment scan of the Region III network\nand the Region III Resident Inspector sites.\n\nAll analyses were performed in accordance with guidance from the following:\n\n       NIST standards and guidelines.\n       NRC MD and Handbook 12.5, NRC Automated Information Security Program.\n       NRC Computer Security Office policies, processes, procedures, standards, and\n       guidelines.\n       NRC OIG audit guidance.\n\nThe work was conducted by Jane M. Laroussi, CISSP, CAP, GIAC ISO-17799; and Joseph\nRood, GWAPT, CISSP, CISA, from Richard S. Carson & Associates, Inc.\n\n\n\n\n                                               14\n\x0c'